A personal computer and a modem access to the Internet are all the tools that a computer hacker needs to conduct a cyber attack on a computer system. The rapid growth of a computer-literate population provides millions of people the opportunity to possess the skills necessary to conduct a cyber attack. The computer literate population includes recreational hackers who attempt to gain unauthorized electronic access to information and communication systems. These computer hackers are often motivated only by personal fascination with hacking as an interesting game. Criminals, and perhaps organized crime, might also attempt personal financial gain through manipulation of financial or credit accounts or stealing services. Industrial espionage can also be the reason for a cyber attack on a competitor's computer system. Terrorists may attempt to use the computer infrastructure. Other countries may use the computer infrastructure for national intelligence purpose. Finally, there is the prospect of information warfare, which is a broad, orchestrated attempt to disrupt a United States military operation, critical infrastructure(s), or significant economic activity.
A typical secure computer network has an interface for receiving and transmitting data between the secure network and computers outside the secure network. The interface may be a modem or an Internet Protocol (IP) router. Data received by the modem passes through a firewall, which is a network security device that only allows data packets from a trusted computer to be routed to specific addresses within the secure computer network. Although the typical firewall is adequate to prevent outsiders from accessing a secure network, hackers and others can often breach a firewall. An entry by an unauthorized user into the secure computer network, past the firewall, from outside the secure computer network is an intrusion. As can be appreciated, new ways of overcoming the security devices are developed every day.
Another type of unauthorized operation is insider misuse, which is an unauthorized access from a computer within the secure computer network. In insider misuse, the firewall is not breached. Instead, the unauthorized operation occurs from inside the secure computer network. For example, an unauthorized user could obtain the password of an authorized user, logon to the secure computer network from the authorized user's computer, and attempt to perform operations not typically associated with the authorized user.
Security and intrusion detection systems exist that can determine if very specific and well known types of breaches of computer security are occurring. These computer security systems passively collect audit information from network devices and format those audits for later review. Known attack signatures can be identified, but new attacks cause these systems significant problems since the identification of a new attack often needs to have human intervention and assistance. Furthermore these computer security systems do not take steps to stop the misuse or intrusion after it is detected. Security systems that do take active steps are limited to logging a user off the network, stopping communications with that computer, halting operations and shutting down and restarting the computer system, and notifying security personnel of the breach, often by e-mail message.
Once an intruder gains access to information on the secure computer network, the intruder can compromise information on the network such that an extensive recovery process will be required if all the compromised information is to be recovered. For example, if the secure computer network is subjected to an information warfare (IW) attack, then restoration of the secure computer network to full operational capability may involve shutdown of the secure computer network, and a time-consuming restart. Intruders may be able to take advantage of the down-time associated with recovery by physically attacking assets associated with the secure computer network. Existing computer security systems are not capable of rapidly returning a compromised secure computer network to even a minimal level of operation, let alone to full operational capability.